Web Services and Encription

I have a few public web methods that can be called by anyone on the internet using SOAP. The only security I've added is a username and password that is embedded in the XML that is passed in as a parameter to the web methods. I want to make my methods more secure by encripting the password, but I don't think that one way encription will do the trick if someone was to intercept my message. The web service has no knowledge of the callers, it only knows to validate the username and password combination.

Any ideas?
LVL 1
alaplumeAsked:
Who is Participating?
 
inthedarkConnect With a Mentor Commented:
I expect that you have a good reason for not using HTTPS?

Here is a simple but effective encrypt/decrypt routine:

Hope this helps.....inthedark... :~)

Option Explicit

Private Sub Form_Load()

Dim m$
Dim l$
Dim password As String

m$ = "Mary had a little lamb"

password = "NICK WAS HERE"
Dim e$

e$ = Encrypt(m$, password)
l$ = Decrypt(e$, password)

If l$ <> m$ Then
   MsgBox "Stupid idea idea does not work"
Else
   MsgBox "Good idea idea it works: " + vbCrLf + m$ + vbCrLf + "Came back to: " + l$, vbExclamation, "First Test"
End If

' now the real test

Dim c As Long
m$ = ""
For c = 0 To 255
   m$ = m$ + Chr$(c)
Next c
l$ = Decrypt(Encrypt(m$, password), password)
If l$ <> m$ Then
   MsgBox "Stupid idea it does not work", vbExclamation, "Second Test"
Else
   MsgBox "Good idea it works very well"
   Me.AutoRedraw = True
   Me.Print "Good idea it works very well"
End If

End Sub


Public Function Encrypt(SourceData As String, password As String) As String

Dim S$
S$ = Space$(Len(SourceData))
If Len(S$) = 0 Then Exit Function

Dim PC As Long
Dim LC As Long

For LC = 1 To Len(S$)
   PC = PC + 1
   If PC > Len(password) Then
       PC = 1
   End If
   Mid$(S$, LC, 1) = Chr(Asc(Mid(SourceData, LC, 1)) Xor Asc(Mid$(password, PC, 1)))
Next

Encrypt = S$

End Function

Public Function Decrypt(EncryptedData As String, password As String) As String

Decrypt = Encrypt(EncryptedData, password)


End Function



0
 
inthedarkCommented:
You could encrypt the password using the Session ID as a key for the encryption engine.

Do you ned a simple encryption engine?
0
 
inthedarkCommented:
The problem with using embedded encryption is that the client side needs to encrypt the data which means that you have to embed the encryption source code in the web page.

It would be better to work like pop3 server authentication. How this works is the when the client attaches to the server the server hands the client a number.  The client uses an encryption routine which minces the password and the number together to create a long string.  The server knows which number he gave the client and the client's password so he can encrypt the password in the same way and compare the encrypted result with the result from the client.  I have a C DLL which uses something called MD5. Once encrypted by MD5 I don't think there is a way of decrypting it.

So the only way to make it work is for each client to have an Activex encryption routine like MD5 which is a one way only encryption.

In your case you can generate a new Key for each new session.  A hacker would always be given a new key and therefore could not benefit by sampling the conversation between host and client.

So all you have to do is work out how to save and utilise and ActiveX on each client's system.

I think it would be a lot easier to spend a few dollars and purchase an SSL key from www.verisign.com, (or some other company), you could even create your own SSL key free.

It would be interesting to see other viewpoints on this issue.


0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
AzraSoundCommented:
"Build an XMLDOM - Safe DES CryptoStream Class Library in VB.NET"
http://www.eggheadcafe.com/articles/20020315.asp 
0
 
alaplumeAuthor Commented:
As it turns out, I can use https after all!
0
 
inthedarkCommented:
I am glad!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.